Chaos at TalkTalk: Data was 'secure', not all encrypted, we took site down, were DDoSed

Well which is it?

Chaos reigns at TalkTalk as the telco appears to be claiming that a distributed denial of service (DDoS) attack led to customer data being compromised – despite that being technically infeasible.

A contradictory series of claims in a TalkTalk statement published this morning has suggested the company does not understand the security issues it has faced.

A TalkTalk spokesperson told The Register that the company had suffered a DDoS attack which was responsible for a website outage which stretched back to Wednesday. The company's statement also claimed that information belonging to its four million customers "may have been accessed" as a part of this attack.

A DDoS, however, is not capable of springing data from a network resource. The attack involves flooding a resource with nuisance requests to prevent it from responding to genuine requests from users. TalkTalk, however, has stated that it has suffered a DDoS attack while also warning that that information belonging to its four million customers "may have been accessed".

The company's statement suggested it believed the DDoS attack targeting its website may have been a route of compromise for its customer's data store:

As soon as we realised the website was under attack, we pulled the site down in an effort to protect data.

The telco claimed it believed its "systems were as secure as they could be," despite also admitting that not all of the data it held on its customers was encrypted. A TalkTalk spokesperson confirmed to The Register that they recognised there was contradiction between these statements.

Talking to The Register, Trend Micro's Rik Ferguson noted that "The first sentiment expressed here is not at all uncommon and is one of the root causes of many breaches. If a person or entity responsible for security fails to keep up with developments in the threat or security landscape they will invariably fall behind and suffer from a misplaced sense of security. Complacency is the biggest enemy of security, just because things 'have always been done a certain way' doesn't mean it remains the most effective way. Besides if 'not all of the data was encrypted' then it was not 'as secure as it could be." added Ferguson.

DDoS smokescreen

That the company claims to have been targeted by a single "sophisticated cyberattack", which was a "DDoS attack" doesn't really make sense, with the DDoS attack more probably used as a smokescreen for an attack targeting TalkTalk's data storage facilities. Ferguson suggested to El Reg that it was "entirely possible" that there were two attacks, which "went hand in hand, that a DDoS was used to light a metaphorical fire in the front yard while the thieves snuck around the back. It wouldn't be the first time."

TalkTalk statements have consistently only referred to an attack targeting the website.

Yesterday, the company announced a criminal investigation had been launched by the Metropolitan Police Cyber Crime Unit following the attack. A statement from the Metropolitan Police distinguished that the investigation was into an allegation of data theft, which would be an offence under Section 1(1) and Section 1(3) of the Computer Misuse Act 1990, rather than a DDoS attack, which a separate offence under Section 36(3) of the Police and Justice Act 2006. However, the Cyber Crime Unit's investigation is at an evidence-gathering stage at the moment and the Metropolitan Police was unable to confirm to The Register what crimes they believed had been committed.

The confusion relating to the "website" attack seems to originate internally at TalkTalk. A Metropolitan Police spokesperson asked about the statement claiming that the allegation of data theft relates to "a Telecommunications website" rather than a server, confirmed to The Register that the claim the theft was from a "website" originated from the initial allegation, which would have been brought by TalkTalk, and was not a product of the Cyber Crime Unit's investigations.

What has been lost?

TalkTalk claimed "the following data may have been accessed" however it has also asserted that the cybercriminals "can't take money from [a customer's] bank account, but there is a risk they might use the data from identity fraud."

Names

Addresses

Dates of birth

Email addresses

Telephone numbers

TalkTalk account information

Credit card details and/or bank details

Ferguson reckoned the information stolen could "be either resold for profit or directly repurposed in targeted attacks against TalkTalk customers. These attacks will be aimed either at uncovering supplementary information of directly compromising machines, or both."

Nettitude principal security consultant Chris Oakley commented: “We know that TalkTalk experienced a distributed denial of service (DDoS) attack against their website on Wednesday. However, a DDoS attack would result in a loss of availability rather than a loss of data, so it is unclear what relation this would have had with the data breach.

“The PCI-DSS standard – which regulates the way companies store credit card details – includes some very specific requirements that are designed to ensure that this card data is always properly secured; it is unclear what the TalkTalk PCI compliance status is at the time of this week’s breach. Fundamentally, in order to be compliant, the TalkTalk cardholder data environment should be appropriately minimised and isolated from the rest of their network. The data within should be appropriately secured; cardholder data must be encrypted using strong cryptography.

“TalkTalk hasn’t yet been able confirm whether there was strong encryption applied to cardholder data; this has got lots of tongues wagging about whether this information was suitably protected... It’ll be a worry to the four million customers affected by this breach that they have yet to receive clarity on this point.”

TalkTalk claimed it was "contacting all our customers straight away to let them know what has happened and we will keep you up to date as we learn more." However, when both the website and the businesses' internet service went down on Wednesday the company claimed it had personally taken down the website in a move unrelated to the broadband outage. ®